Skip to main content

Root Zone KSK Rollover: Technical Updates

19 September 2016 – First step of 2017 KSK Rollover External Test Plan completed

The 2017 KSK Rollover External Test Plan [PDF, 516 KB] describes different tests of DNS resolvers that will help plan for the Root Zone KSK rollover. Part of that test plan says:

ICANN will build an automated test suite test for resolvers bundled with various popular operating systems/distributions. The tests are performed by launching virtual machines and/or containers, and executing tests with the real time and the accelerated 5011 environments. These tests will also be run in ICANN's middlebox test lab.

ICANN has now completed the first step, which is to build operating systems and capture their first outputs on port 53, 80, and 443 to look for evidence of their doing their own resolution and any DNSSEC-related lookups. The results are that only Ubuntu 1604 built with "DNS server" and FreeBSD 10 built with "local unbound" did their own resolution. All the rest (including those built without turning on DNS in the installation process) act as stub resolvers and use the server given to them by DHCP. Only FreeBSD 10 built with "local unbound" did DNSSEC lookup. Ubuntu 1604 built with "DNS server" acted as a recursive server but without DNSSEC.

This investigation tells us that FreeBSD 10 built with "local unbound" should be carefully checked during the KSK rollover. This version uses a recent version of the Unbound resolver and can be tracked in the same way as Unbound itself. New versions of operating system distributions that come out during the rollover process will be tested.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."